A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance

Yet again we are reminded that the mild conveniences of the smart home are all well and good, right up until someone decides to turn one of those Wi-Fi-connected things you invited in against you.

But you probably didn’t think it was going to be the vacuum, did you?

Two researchers with enterprise security company Positive Technologies discovered vulnerabilities affecting the Dongguan Diqee 360 line of robotic vacuum cleaners and have shared details of the security flaw. The vacuum cleaners, manufactured by Chinese smart home manufacturer Diqee, are equipped with Wi-Fi and a 360-degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device. The camera is probably what you need to be worried about.

The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges. According to the report, the vulnerability is contained within the REQUEST_SET_WIFIPASSWD function and exploiting it requires authentication, though a default username and password combo is common (admin/888888).

The researchers suspect that the vulnerability in the Dongguan Diqee 360 robotic vacuum model might affect other products sharing the video module, including outdoor surveillance video cameras, smart doorbells and DVRs. Diqee also manufactures vacuums sold under other brands, as well, and researchers suspect that those devices would also be affected by the vulnerability.

Positive Technologies noted a second vulnerability, known as CVE-2018-10988, also affects the vacuum model, though it requires physical access through the SD card slot to compromise the machine.

The vacuum does come equipped with a privacy protection cover — a physical barrier for the camera that “solves the privacy leakage from hardware” according to the manufacturer. Positive Technologies informed the manufacturer of the vulnerability, although no information is available yet about a patch. TechCrunch reached out to Diqee about the vulnerability but had not heard back at the time of writing.

“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners,” Positive Technologies Cybersecurity Lead Leigh-Anne Galloway said.

“Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.”